| From: | Israel Barth Rubio <barthisrael(at)gmail(dot)com> |
|---|---|
| To: | Jacob Champion <jchampion(at)timescale(dot)com> |
| Cc: | Jim Jones <jim(dot)jones(at)uni-muenster(dot)de>, Jelte Fennema <postgres(at)jeltef(dot)nl>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist |
| Date: | 2023-01-25 18:27:04 |
| Message-ID: | CAO_rXXBrU=2UB9LsGH41dLfW5sntMX9+bEpHEiN8J4yTMNaN7g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello Jacob,
> I'm not sure how helpful it is to assign "blame" here. I think the
> requested improvement is reasonable -- it should be possible to
> override the default for a particular connection, without having to
> pick a junk value that you hope doesn't match up with an actual file
> on the disk.
Right, I agree we can look for improvements. "blame" was likely
not the best word to express myself in that message.
> sslmode=disable isn't used in either of our proposals, though. Unless
> I'm missing what you mean?
Sorry about the noise, I misread the code snippet shared earlier
(sslmode x sslcertmode). I just took a closer read at the previously
mentioned patch about sslcertmode and it seems a bit
more elegant way of achieving something similar to what has
been proposed here.
Best regards,
Israel.
Em qua., 25 de jan. de 2023 às 14:09, Jacob Champion <
jchampion(at)timescale(dot)com> escreveu:
> On Wed, Jan 25, 2023 at 7:47 AM Israel Barth Rubio
> <barthisrael(at)gmail(dot)com> wrote:
> > I imagine more people might have already hit a similar situation too.
> While the
> > workaround can seem a bit weird, in my very humble opinion the
> user/client is
> > somehow still the one to blame in this case as it is providing the
> "wrong" file in
> > a path that is checked by libpq. With that in mind I would be inclined
> to say it is
> > an acceptable workaround.
>
> I'm not sure how helpful it is to assign "blame" here. I think the
> requested improvement is reasonable -- it should be possible to
> override the default for a particular connection, without having to
> pick a junk value that you hope doesn't match up with an actual file
> on the disk.
>
> > Although both patches achieve a similar goal regarding not sending the
> > client certificate there is still a slight but in my opinion important
> difference
> > between them: sslmode=disable will also disable channel encryption. It
> > may or may not be acceptable depending on how the connection is between
> > your client and the server.
>
> sslmode=disable isn't used in either of our proposals, though. Unless
> I'm missing what you mean?
>
> --Jacob
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2023-01-25 18:27:52 | Re: heapgettup() with NoMovementScanDirection unused in core? |
| Previous Message | Nathan Bossart | 2023-01-25 18:17:50 | Re: pgsql: Rename contrib module basic_archive to basic_wal_module |